Is ISO 27001 enough for NIS2 compliance?

If you start reading this article, chances are high that you know what NIS2, the European Cybersecurity regulation for businesses that are important to society, effective October 17th 2024, entails.

In case you don’t, please have a look at the following resources:

• General information about NIS2 (history, NIS1 vs NIS2, etc).
• To whom NIS2 applies.
• The difference in treatment between essential and important companies.
   

Over the years, as cybersecurity has become an increasingly important area of focus in IT, many medium to large companies have obtained ISO 27001 certification.   The question on most corporate management's minds: is the certificate sufficient to meet the NIS2 requirements?  Keep in mind that in many countries the translation of EU legislation into national legislation has not yet been completed, so additional requirements may emerge.

More insights in DORA requirements and their mapping to ISO controls can be found in this article.

The scope of the ISO certificate

NIS2 emphasizes cybersecurity from a societal perspective.  The scope is the activities that are important for the continuity of the proper functioning of a country.   So first and foremost, you must ensure that the scope of activities that are ISO 27001 certified in your company are all activities that are important or essential to society.

ISO 27001:2013  vs ISO 27001:2022

ISO 27001:2022 is the latest version of the global standard for information security management systems (ISMS). Released by the International Organization for Standardization (ISO) on December 15, 2022, this version serves as an improvement and revision of its predecessor, ISO 27001:2013. Its primary purpose remains to establish a comprehensive framework of best practice policies, procedures and controls to mitigate the risks of security breaches.

The framework of ISO 27001:2022 mirrors that of ISO 27001:2013, with a similar cycle for developing, implementing, maintaining and improving an ISMS. In addition, the overarching structure remains consistent with other ISO standards such as ISO 9001 (quality management) and ISO 14001 (environmental management), streamlining the integration process.

Nevertheless, ISO 27001:2022 introduces notable changes and improvements over ISO 27001:2013, including:

• Stressing the central role of top management providing guidance for the ISMS (also a NIS2 requirement).
• Updating the controls in Appendix A to incorporate emerging technologies and changing threats.
• Harmonization with relevant related standards such as ISO/IEC 27701 (privacy information management) and ISO/IEC 27018 (cloud computing).
• Clarifying the requirements for conducting risk assessments and performing risk remediation.

The transition period begins on October 31, 2022 and ends on October 31, 2025. Certifications based on ISO 27001:2013 will expire or be revoked at the end of the transition period.

ISO 27001:2013 is a good start, but ISO 27001:2022 is a better basis given its enhancements, which are in line with NIS2 requirements.   In addition, ISO:2013 certifications are valid only until one year after the effective date of the NIS2 legislation.    If you have ISO 27001:2013 and have not yet started upgrading the certificate, now is a good time to start doing so.

ISO 27001:2022 vs NIS2 requirements

Overview

The below table provides a mapping between NIS2 requirements and ISO 27001:2022 (and ISO 27002:2022).

Source: Hunt and Hackett

The importance of ISO 27002

The ISO 27002 standard is a detailed supplementary guide to the security controls in the ISO 27001 framework.  ISO 27002 provides best-practices guidance on selecting and implementing the controls listed in ISO 27001, however ISO 27002 controls (94 controls in the 2022 standard) aren’t compulsory to become 27001 certified.  They are, at best, a reference set of information security controls that organizations can use.  Also, companies can only certify for ISO 27001, not for ISO 27002.

As shown in the above table, many ISO 27002 controls map to NIS 2 requirements.  As such, while not required for obtaining the ISO 27001 certificate, (most of) ISO 27002 is mandatory for NIS2 compliance.

Business continuity management is where ISO 22301 may help, but it’s not a must.

Under NIS2, critical and important entities must ensure continuity of operations in the event of a major incident, which may be an incident other than a cyberattack, and which may not be an internal incident, but also an incident at a critical supplier. Organizations must therefore implement a comprehensive resilience framework - which includes business continuity, disaster recovery and crisis management - to minimize disruptions.

If organizations have carefully implemented the above ISO27001 and ISO27002 controls related to business continuity and disaster recovery (5.29 and 5.30 as core), they should comply with NIS2 in this area.  However, organizations covered by NIS2 could consider adding ISO 22301 for business continuity management (BCM). ISO 22301 is designed to help implement, maintain, and continuously improve a company's business continuity approach. While some aspects of ISO 27001 include business continuity management, it does not define a process for implementing BCM. That's where the complementary standard ISO 22301 comes in. Certification to this standard will further demonstrates compliance with NIS 2, but it’s not an absolute must.

Supply chain risk management is not just about information security

In the context of NIS2, attention should not only be paid to information security throughout the supply chain.  Any business continuity threat that could potentially spread through the entire supply chain should be identified and mitigated.  Therefore, the content of risk assessments can be revised to place more emphasis on business continuity measures implemented at the supplier.  The list of suppliers covered by the third-party risk management may also be revised because while the focus of ISO 27001 is more on the ICT supply chain, the focus of NIS2 on general business continuity may require you to expand the list of assessed suppliers.  Obviously, the security of potential IT integrations (eg. APIs) with these non-ICT suppliers must also be considered.

ISO 27036 for supply chain risk management is a bit like ISO 22301 for business continuity. ISO 27001 does not define a process for implementing third-party risk. That's where ISO 27036 can help companies that have no experience/expertise in this area or want to use the standard to structure the activity. But also here, ISO 27036 is in se not mandatory for NIS2 compliance. 

In the area of incident notification, there is certainly work to be done

Article 23 of the NIS2 DIRECTIVE states that “Each Member State shall ensure that essential and important entities notify, without undue delay, its CSIRT or, where applicable, its competent authority of any incident that has a significant impact on the provision of their services.”

Cyber criminals operate across national borders.  Therefore, NIS2 aims to improve cooperation and information sharing regarding cyber incidents across the European Union. Consequently, there is an obligation to report significant incidents immediately to competent authorities within specified deadlines, as determined by individual member states. The directive describes the prescribed lead times for such reports:

• First notification with 24 hours 
• First report within 72 hours 
• Full report within a month after notification

This requirement has far-reaching implications and is only marginally covered by the ISO 27001/27002 standards.  For organizations subject to the GDPR, the implementation of Annex A 5.24 (Information Security Incident Management Planning and Preparation) requires notification procedures to be in place to report data breaches to authorities within 72 hours.  However, NIS2 aims to report any security incident that poses a threat to business continuity within 24 hours. To report properly, companies must first have adequate detection, including initial analysis and forensics, and incident response.  Also, "military-style" internal reporting and decision-making processes must be in place to meet the 24-hour deadline.  These processes must not only be defined, but they must also be tested to ensure they work as they should.

This blogpost has been written in collaboration with Danny Zeegers, NIS2/ISO 9001/ISO27001 Expert at QFIRST. 

How Ceeyu can assist with NIS2 compliance

Ceeyu’s SaaS platform scans your network and the networks of a companies in the supply chain using automated active and passive scanning techniques like those hackers use, in search for software vulnerabilities and network weaknesses.  

Because not all security risks can be identified in an automated manner, Ceeyu also offers the possibility to carry out digital questionnaire-based audits.  This can be done by creating questionnaires tailored to the supplier, from a white sheet or starting from templates that Ceeyu makes available.  The completion of the questionnaire by the supplier and the follow-up of the process by the customer is done in a secure environment on the same SaaS platform. This enables a simple, central follow-up, entirely online and without the intervention of third parties. The closed platform guarantees the confidentiality of the survey, since only authorized persons have access to the application.    

As such, Ceeyu contributes to fulfilling a considerable part of requirements in Article 21 of the NIS2 regulation, more specifically:

[…] essential and important entities must take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems […]. The measures […] shall include at least the following:
(a)  policies on risk analysis and information system security;
(d)  supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e)  security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f)  policies and procedures to assess the effectiveness of cybersecurity risk-management measures;